Available at: https://digitalcommons.calpoly.edu/theses/3345
Date of Award
6-2026
Degree Name
MS in Computer Science
Department/Program
Computer Science
College
College of Engineering
Advisor
Dongfeng Fang
Advisor Department
Computer Science
Advisor College
College of Engineering
Abstract
The increasing sophistication of cyber threats has accelerated the adoption of deep learning in Network Intrusion Detection Systems (NIDSs). Despite their superior performance, the internal mechanism of these architectures remains opaque, which poses a significant barrier to trust, accountability, and operational deployment in security-critical domains. To address this gap, recent NIDS research has primarily explored post-hoc Explainable AI (XAI) methods, such as LIME and SHAP. However, these post-hoc techniques are computationally expensive for real-time traffic, often exhibit a lack of consensus, and provide external approximations that can be misleading in high-stakes security environments.
To address these limitations, we propose an architecture that shifts from post-hoc explanations to intrinsic interpretability by introducing the Interpretable Multi-Variable sLSTM (IMV-sLSTM) network. Built upon the xLSTM architecture, our model integrates a mixture attention mechanism from the IMV-LSTM framework directly into recurrent cell logic, providing a faithful, quantifiable contribution of each network feature and time step natively during the forward pass. The framework is evaluated on the CICIDS-2017, CSE-CIC-IDS2018, UNSW-NB15, and ToN-IoT datasets. Our findings demonstrate that the IMV-sLSTM delivers robust predictive performance while providing faithful real-time explanations that facilitate comprehensive security auditing and help identify underlying model biases.